Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


CISA Chapter 1

No description

Matt Starr

on 2 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of CISA Chapter 1

Organization of IS Auditors
 Organizationally independent and Individually Independent
 IS Audit group could fit classified in three ways
• Independent – not a part of another audit group
• Part of the internal audit group
• Integrated with financial and operational audit

Internal Audit Charter
• Management responsibility and objectives
• Delegation of authority
• Developed by highest level of management
• Details all audit activities such as audit, scope and responsibility
• Charter approved by senior management

Audit Planning
• Short term – over a year
• Long term – overall direction of IT strategy (hopefully in line of business strategy)
• Reviewed at least annually and updated
o New control issues
o Changes is risk environment
o Enhanced evaluation techniques

o Audit resource management
 Need competence
• Changing technologies need research and continuing professional education
 Skills and knowledge taken into consideration for audit
 Detailed staff training plan over the course of the year
 Resources needed for audits include
• Tools
• Methodology
• Work programs

Management of IS Audit Function
o Diverse tasks
o Fulfill audit function
o Audit independence and competence
o Add value to management of IT
o Facilitate achievement of business objects

 External auditors – documented in a formal contract with statement of work, scope and objectives
CISA Review
Domain 1 (to 1.5)

Internal Audit Assignments
• Planning includes the evolution of previous audits to modify the approach
• Upcoming projects may affect planning
• Understand environment under review
o Business processes and IS support
• Consider the area under review and the relationship to the organization
• Items to consider while planning
o Background materials (journals, research, etc.)
o Prior Audits
o Review business and IT long term strategic plans
o Interview key managers to understand business issues
o Identify any regulations applicable to IT
o Identify related outsourced IT
o Tour key organization facilities
• Match available resources to tasks for audit plan

Internal Audit Assignments
Effect of Laws & Regulations on IS Audit Planning
 Regardless of size will need to follow some laws and regulations that may affect computers, programs and data use and storage.
 Certain industries are regulated more and need more specialized attention
• Ex: Banks, Hospitals, Internet Service Providers

 Several countries require layered regulation
• Establishment of the regulatory requirements
• Organization of the regulatory requirements
• Responsibility assigned to corresponding entities
• Correlation to financial, operational, and IT audit functions
 Areas of concern: legal requirement
• Legal requirement on audit or IS audit
• Legal requirement on Auditee
• Impact of scope and audit objectives

Laws & Regulations Cont.
• Health Insurance Portability and Accountability Act – privacy of medical equipment
• SOX (particularly section 404) – use of COSO – for public companies
• Basel II – credit risk, operational risk, and market risk

Determine an organizations level of compliance with external requirements
• Identify requirements imposed: data, systems, storage, etc.
• Document applicable laws and regulations
• Assess management response
• Review internal IS department documents that apply
• Determine adherence to established procedures
• Determine if there are procedures in place for contracts

IT Audit & Assurance Standards
 Code of professional Ethics – follow or face possible consequences (lose certification, prosecution, etc.)
 Support the body of knowledge
 Assurance issued to management and other interested parties concerning work of audit practitioners
 Multiple layers of audit and assurance
• Standards – mandatory
• Guidelines – provide guidance and support the standards
• Procedures – provide examples

• S1 Audit Charter – existence and created by highest levels of organization
• S2 Independence – Professional (impartial to auditee) and Organizational (independent of the group being audited)
• S3 – Professional Ethics – adhere to the rules
• S4 Competence – competent and maintain knowledge
• S5 Planning – Comply with laws, risk based, develop audit program

• S6 Perform work – Be supervised, provide evidence, and document
• S7 Reporting – Issue post audit and include scope, objectives, outcome, and recommendations. Should be supported with evidence.
• S8 Follow up- request and evaluation whether appropriate action has been taken

S9 Irregularities
o Consider risk in planning audit
o Professional skepticism during audit
o Know organization and environment
o Obtain sufficient and appropriate evidence to determine wither management should be included
o Consider unusual or unexpected relationships that indicate risk
o Design and test the appropriateness of Internal control and risk of management overrides

o After detected misstatement – analyze if activity is irregular or illegal
o Obtain written representations from management at least annually
o Acknowledge responsibility for internal control to stop irregular or illegal activity
o Disclose to IS auditor the results of risk assessment that may exist
o Disclose to IS auditor knowledge of irregularities and/or illegal activities
 Apply to management
 Apply to employees with significant roles in internal controls
 Disclose any allegations or suspected allegations

o If found communicate to appropriate level of management
o If found in management – disclose to those in charge of governance
o IS auditor to disclose material weakness to internal control
o If exceptional circumstances are found auditor should consider legal and professional responsibilities applicable (governance, authorities, or withdrawal from audit)
o IS auditor should document all communications, planning, results, evaluations and conclusions related to irregularities and/or illegal activities.
S10 Governance
o Assess role of IS in an organization
o Is it effective and efficient?
o How do you judge performance?
o Is the organization in compliance?
o Organization needs to be based on risk based analysis to assess existing and new risks in IS and assess the internal control environment

• S11 Risk Assessment – use risk assessment technique to prioritize needs. Also, be aware of ongoing projects and how that affects risk
• S12 Audit Materiality
o Consider when associating risk
o Consider possible weaknesses or absence of controls
o Cumulative effect of minor control weaknesses
o Report ineffective controls
• S13 Using Work of Other Experts
o Experts need to be qualified
o Expert work is subject to review
o Is the work adequate and complete?
o Additional tests for sufficient evidence
o Exercise audit opinion when required evince is not obtained

• S14 Audit Evidence – sufficient and appropriate, determine if evidence is sufficient during audit
• S15 IT Controls – evaluate and maintain internal controls in environment, can provide advice before building controls
• S16 Ecommerce – evaluate applicable controls and assess risk in ecommerce

• There to support and help implement standards
• Professional judgment in applying them to specific audits
• Justify any difference
• Example:
o The use of G1 (using the work of other auditors), G2 (Audit evidence requirement) and G3 (Use of Computer Assisted Audit Tools – CAATs) to support S14 (Audit Evidence)
• Book takes special notice to know
o G5 – Audit Charter (supports S1, S9 – irregular or illegal activities)
o G9 – Audit Considerations for irregular or illegal activities (supports S9)
o G17 – effect of nonaudit role on IT Audit and Assurance Professional’s Independence (supports S2 – Independence)
o G35 – Follow up activities

Tools and Techniques
 Not mandatory and up to auditor if and how to implement the 11 procedures
• Example: P6 – Firewalls for the use of a network security audit.

ITAF – Information Technology Assurance Framework
Comprehensive and good practice setting model that provide guidance of design, conduct, reporting of IT A&A assignments
Defines concepts specific to IT assurance
Establishes standards – General, Professional

General Standards
– guiding principles under which IT assurance profession operates
Independence and objectivity
Reasonable expectation
Managements acknowledgement
Training and proficiency
Knowledge of subject matter
Due professional Care
Suitable criteria

Professional standards
– baseline expectations in the conduct of IT assurance engagements, focus on design, conduct, evidence and development of assurance
Planning and supervision – documentation and form part of IT assurance work papers
Obtaining sufficient evidence – achieve a reasonable basis for the drawn conclusion
Assignment performance – schedule of audits must fit criteria critical to completing the objectives – resources, timing, contacts and more should be considered
Representations – documented and retained written and oral details obtained during audit. They should be attested to reduce possible misunderstandings

Reporting Standards
Should contain at least these three things:
Who is the report is directed?
What is the nature and objectives of the IT assurance assignment?
What is the entity or portion thereof covered by the IT assurance report?
Depending on the nature of the IT audit or assurance assignment details like government directives, corporate policies should apply to help the understanding of the IT assurance assignment

IT Assurance Guidelines
Enterprise Topics
Executive actions
External events
Decisions that impact the IT department (and thus the audit)
IT Management Processes
Provide IT auditor with insight to the practices and procedures of IT departments and help the design, planning, and performing of audits
IT Audit and Assurance Processes
Focuses on audit approaches, methodologies and techniques
IT Audit and Assurance Management
Provides the auditor with understanding information required to manage the audit like scope, objectives, documentation etc.

Risk Analysis
Risk - "The potential that given threat will exploit vulnerabilities of an asset or group of assets thereby cause to an organization"
Have a clear understanding of:
Purpose and nature of business and related business risks
Dependence on technology and related dependencies
Business risk related to IT dependencies and how they impact the achievement of business goals
Overview of business processes and the impact of and related risks
IT risk is a business risk
Consists of events involving IT that could potentially impact the business
IT risk falls under umbrella risk category – failure to achieve strategic objectives
Risk IT framework enables uses to
Integrate the management of IT risk into the overall enterprise risk management of the organization
Make well informed decisions about the extent of the risk
Understand how to respond to risk

IS auditor is often focused toward high-risk issues associated with confidentiality, integrity and availability
Risk assessment is an iterative life cycle
Full transcript